Bugtraq mailing list archives
Re: NT RPC Service Bug
From: dleblanc () iss net (David LeBlanc)
Date: Wed, 22 Jan 1997 21:21:12 -0600
On 22 Jan 97 20:38:07 GMT, in maillist.bugtraq you wrote:
After you disconnect the rpcss.exe process will start consumming all available process cycles. NT does not allow you to kill rpcsss.exe even under normal operation. You must reboot the machine to get rid of it. You will still be able to launch other application (the NT schedualer will give them CPU time), but they will run very slowly and the CPU will stay at 100% utilization. The performance monitor shows that rougly rpcss.exe spends 20% of the time in user mode, and 80% of the time in system mode.
You can kill it if you use the right tool. However, you may as well reboot anyway. Under NT 4.0, you can protect against this by going into Control Panel, Networks, Protocols, TCP/IP Properties, Advanced, Enable Security, Configure. Then set it to only permit connections from ports 137 and 139 (plus whatever else you need, like FTP). We've tried this, and we can connect to the registry, event log, service manager, user database, and map shares. Frankly, I'm not sure what good the RPC locator service really is. Something will probably break, but this is a better alternative than being at 100% CPU. I have spoken with people at MS, and they tell me a fix is "immenent" - maybe we'll actually see a patch in a few days. Feel free to echo this to bugtraq. I've already posted this information to the ntsecurity list.
Current thread:
- NT4 bug? Or bug in my hardware? Jason T. Luttgens (Jan 21)
- <Possible follow-ups>
- Re: NT4 bug? Or bug in my hardware? Kevin Connolly (Jan 21)
- Re: NT4 bug? Or bug in my hardware? Aaron Spangler (Jan 22)
- Re: NT4 bug? Or bug in my hardware? Peter Hartzler (Jan 22)
- NT RPC Service Bug Aleph One (Jan 22)
- Re: NT RPC Service Bug David LeBlanc (Jan 22)
- Re: NT4 bug? Or bug in my hardware? Aaron Spangler (Jan 22)
- Re: NT4 bug? Or bug in my hardware? Peter Berendi (Jan 23)